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Abstract 

Recently, Liaw et al. proposed a remote user authentication scheme using smart 
cards. Their scheme has claimed a number of features e.g. mutual authentication, no 
clock synchronization, no verifier table, flexible user password change, etc. We show 
that Liaw et al. 's scheme is completely insecure. By intercepting a valid login message 
in Liaw et al.'s scheme, any unregistered user or adversary can easily login to the 
remote system and establish a session key. 
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1 Introduction 

Remote system authentication is a process by which a remote system gains confidence about 
the identity (or login request) of the communicating partner. Since the Lamport's scheme 
[l], several remote user authentication schemes and improvements have been proposed with 
and without smart cards. Recently, Liaw et al. [2] proposed a remote user authentication 
scheme using smart cards. Their scheme has claimed a number of features e.g. mutual 
authentication, no clock synchronization, no verifier table, flexible user password change, 
etc. We show that Liaw et al.'s scheme is completely insecure. Any unregistered user can 
easily login to the remote system and establish a session key. 



2 The Liaw et al.'s scheme 



The scheme consists of five phases: registration, login, verification, session and password 
change. 

Registration phase: A new user Ui submits identity IDi and password PWi to the remote 
system for registration. The remote system computes C/j's secret information Vi = h{IDi,x) 
and Ci = Vi (B PWi, where x is a secret key maintained by the remote system and h{-) is a 
secure one-way hash function. Then the remote system writes h{-) and e, into the memory 
of a smart card and issues the card to Ui. 

Login phase: When Ui wants to log into the remote system, he/she inserts the smart card 
into the terminal and enters IDi and PWi. The smart card then performs the following 
operations: 
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LI. Generate a random nonce Ni and compute Cj = /i(ej © PWi, Ni). 

L2. Send the login message < IDi, Ci, Ni > to the remote system. 

Verification phase: To check the authenticity of < IDi,Ci, Ni >, the remote system 
checks the vahdity of IDi. If IDi is vahd, computes v'i = h{IDi,x) and checks whether 
Ci = h{v'-,Ni). Then generates a random nonce Ng, encrypts the message M = E^i {Ni,Ns) 
and sends it back to the card. 

The smart card decrypts the message i^eiePWi (M) and gets {N^, N'g). Then verifies whether 
Nl = Ni and N', = nE- If these checks hold valid, the mutual authentication is done. 
Session phase : This phase involves two public parameters q and a where q is a large prime 
number and a is a primitive element mod q. The phase works as follows: 

51. The remote system computes Si = mod q and sends Si to the smart card. The 
smart card computes Wi = a^' mod q and sends Wi to the remote system. 

52. The remote system computes Ks = (VFj)^' mod q and, the smart card computes 
Ku = (Si)^' mod q. It is easy to see that Ks = K^- Then, the card and the remote 
system exchange the data using the session key and e,. 

Password change phase: With this phase Ui can change his/her PWi by the following 
steps: 

51. Calculate e'^ = a ® PWi © PWl- 

52. Update Cj on the memory of smart card to set e-. 

3 Security Weaknesses 

Weakness of Authentication phase: The authentication phase suffers from the replay at- 
tacks. The authenticity of the login request is not checked at all. The adversary A (or 
any unregistered user) intercepts a valid login request, say < IDi, Ci, Ni >. Later A sends 
< IDi, Ci,Ni > to the remote system, as a login request . To validate < IDi, Ci, Ni >, the 
remote system does the following: 

1. Check the validity of IDi. This holds true, because the adversary sends IDi, inter- 
cepted from a valid login request. 

2. Compute f- = h{IDi,x) and check whether Ci = h{v[,Ni). This check also passes 
successfully, because there is no record at the server side whether Ni was used in 
some previous login message. Therefore the server is unable to detect whether the 
Ci is coming from a legitimate user or from an adversary. Now we see the security 
strength of the mutual authentication. 

3. The remote system generates a nonce N* and encrypts the message M = E^i {Ni,N*), 
then sends < M > back to the communicating party (assumes logged in entity is a 
legitimate user). 

^It is noted that the verification of A'^^ = Ns cannot be examined because the smart card does not have 
information about A'^s 
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4. A will not do anything, simply sends a valid signal by saying that the server au- 
thenticity is done and then, A gains the access to the remote system. Therefore, 
ultimately there is no user or server authenticity checks at all. 

Weakness of Session phase: Although Liaw et al.'s scheme used Diffie-Hellman [3] key 
exchange protocol for session key establishment; however, they did not consider the risk of 
Diffie-Hellman's protocol (i.e., man-in-the-middle attack) while establishing the user and 
server common session key. Let us examine the weakness of the session phase. 

1. The remote system computes Si = a^" mod q and sends Si to the communicating 
party. A (who already passes the authentication phase and gains the access to the 
remote system) computes Wi = a^' mod q and sends Wi to the remote system. 

2. The remote system computes Kg = (Wj)^^* mod q and A computes Ka = (Sj)^' mod 
q. It is easy to see that Kg = Ka- 

In fact, all the parameters Ni, Si, Wi, a, q are public, thereby any one can compute the ses- 
sion key. Once the session key is established then the remote system and A exchange data 
in an encrypted manner, where ej acts as the encryption key. Firstly, the remote system 
does not know e^. Secondly, the session key never serve the purpose of the transaction 
privacy, instead it is just xor-ed with the message and is used for transaction privacy, 
which is not the actual scenario in the practical applications. 

Weakness of Password change phase: There is no verification of the entered password. 
This effectively makes the smart card useless. Suppose Ui enters his password which 
is actually misspelled or incorrect, that is, instead of PWi he/she enters PW. How- 
ever, the smart card takes the wrong password PW and asks for a new password. Now, 
Ui enters new password PW[. The smart card updates old by the new e[ where 
e'. = ei® PW e PWl = h{IDi,x) PWi PW PWl- In the next login time, Ui 
cannot login to the remote system, because the verification of Cj fails. In another scenario, 
if Ui^s smart card is lost or stolen, then the party who got the smart card, would try to login 
and enters some random password, which leads to block the card, as there is no provision 
of checking the entered password. 

4 Conclusion 

We have shown the security weaknesses of the Liaw et al.'s scheme. The design of the Liaw 
et al.'s scheme is so weak that any one can login to the remote system by just intercepting 
a valid login message. 
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